Australian Federal Police highlight Australian firms’ weak data security which enables hacking
April 15, 2016 |
It is hardly news to those who practice in the area that many Australian organisations generally place data security and privacy well down the priority list. That is partly, and significantly, because of inadequate legislation and anaemic regulation in Australia. Now the Australian Federal Police have publicly stated that Australians’ pay are at risk because of attacks on poorly protected share trading platforms and superannuation funds and through tax return fraud, amongst other scams. This is reported in Staff fall victim to cyber criminals hacking into pay. It provides:
The pay of hundreds of thousands of Australians is at risk of being siphoned off by cyber criminals because of weak security, according to the Australian Federal Police, which says such crimes have risen dramatically in recent years.
Attacks on share trading platforms and superannuation funds and tax return fraud have also become more frequent and lucrative, AFP cybercrime operations team leader Scott Mellis told the Australian Cyber Security Centre Conference in Canberra yesterday. He said cyber criminals had become smarter, engaging in reconnaissance missions to ensure maximum gain from compromising online funds and payment systems, rather than performing a “smash and grab”.
“Anywhere where money’s held with weak security and poor design is at risk,” he said, suggesting the big banks’ bolstering of their online security had led criminals to less obvious targets.
Mr Mellis said the HR payroll systems of several Australian companies had been hacked over the past year, with employees’ pay diverted to “cash mule” bank accounts.
“The standard methodology for the attack was to log in to the HR payroll system with the stolen credentials, check the date of the next pay run, log out, log back in near the pay run, alter the payee account details to those of multiple mules so you’ve got no single point of failure, and the payroll run proceeds,” Mr Mellis said.
He said companies generally didn’t realise they had a problem until staff complained that they hadn’t received their pay. Mr Mellis said “CEO impersonation”, where criminals send emails to employees purporting to be senior executives in their company and requesting payments, were also becoming more frequent in Australia and globally.
The FBI this week estimated $2.3 billion had been lost to business email compromise crimes over the past three years.
Mr Mellis said the AFP had detected CEO impersonation crimes involving sums of up to $900,000 last financial year. “We haven’t seen a single million dollar transaction yet, but I think we’re on the cusp of it,” he said.
Mr Mellis said CEO impersonation crime gangs had generally been traced to West Africa, while those hacking into super funds and share traders were often Eastern European.
As well as deploying “fly-in mules”, often from Europe, crime gangs were also engaging locals to act as cash collection mules.
Some of the reported techniques, such as masquerading as a CEO, are fairly prosaic and can be countered with proper privacy training.
None of this is a bolt out of the blue. In February 2015 the ABC reported on major hacking attacks on Australian banks which may, or may not have been successful as Westpac, Commonwealth and National Australia Bank refused to comment. As they can do as there is no mandatory data breach notification legislation.
While the Privacy Act is a flawed legislative instrument, with incomplete coverage, it has been the poor regulation and weak, tentative and generally inchoate enforcement that is the real and pressing problem. The new and strong enforcement powers came into effect on 12 March 2014. The use of those powers has been confined to enforceable undertakings, made as a result of organisations reporting themselves. In short, enforcement has been reactive. The Until there is proper enforcement of the Act it is unlikely that this problem will be properly addressed.
[…] Australian Federal Police highlight Australian firms’ weak data security which enables hacking […]